Results of the DNS Measurements Hackathon Reporting from the hackathon is difficult: the spirit of the event lies in direct participation and shared experiences. In this article, we celebrate the achievements of the fifth RIPE NCC hackathon, document and promote results, and create a memento for participants.https://labs.ripe.net/Members/becha/results-dns-measurements-hackathonhttps://labs.ripe.net/logo.png

Results of the DNS Measurements Hackathon

Reporting from the hackathon is difficult: the spirit of the event lies in direct participation and shared experiences. In this article, we celebrate the achievements of the fifth RIPE NCC hackathon, document and promote results, and create a memento for participants.

Giant inflatable stroopwafel symbol of the prize in the non-competitive hackathon

The RIPE NCC's fifth hackathon happened in Amsterdam in April 2017. DNS operators, designers, researchers and developers took on the challenge and joined in to develop new tools and visualisations for DNS measurements.

Results

The results were impressive! After two days of hard work, we had eight final projects, presented in five minutes each, and the discussion continued over the beers at the closing dinner. All software is available on Github, and all the presentations are published there too.

This project was based on an idea that originally came from Shane - monitoring DNS server (SOA timestamp) propagation time to try to answer the question “How consistent is DNS?”. Short answer: it can get crazy out there! Method: looking at the moments when a change is made by one of the registrars, and following how quickly these changes propagate. Looking at the “first seen” timestamp for a specific SOA at various name servers, by using RIPE Atlas DSNMON of .com data. Python scripts, Elasticsearch and Kibana were used as tools. Several detailed findings regarding inconsistencies were visualised and shown in the slides. There were also some curious findings. Next step: an analysis based on the real-time streaming of data.

Trying to answer the questions: how do you protect from “bad actors” on the Internet? How do you know that DNS resolution is coming from the “proper” place? Method: active measurements - use RIPE Atlas probes to query a pre-set DNS record on your own server, and to use a public DNS resolver with known IP addresses; match the responses; mark the probes that show inconsistent responses. Result: out of 6,700 probes, 113 are “suspicious” or “being weird”, which might mean there is DNS hijacking going on, or something else - and that requires further analysis. They established cooperation with another team who did “DNS Fingerprinting”, and got some overlapping results - but in general, these two tools are complementary.

What I liked about this approach is that, although the goal is to measure censorship, the users involved in measurements are not put in danger, since there is no direct attempt to reach “forbidden” web sites - only the public resolver is used.

This team tackled the same problem as the previous one - identify hijacked DNS resolvers - but with a different method: by building “fingerprints” of recursive DNS servers. Using RIPE Atlas measurements, observing characteristic features in replies, and machine learning algorithms to train a computer to be able to discern between a legitimate server and a hijacked one.

Results were presented as a map and a table with the number of probes per country that were judged as “hijacked”. Not surprisingly, the density of probe distribution corresponds with the absolute numbers of affected probes. In relative terms, top-5 countries were: VN, MG, IQ, ID and KR.

Interesting side result: this fingerprinting approach can also be used to detect a somehow opposite problem: an ISP pretending to be operating their own caching recursive DNS servers, but in reality redirecting their traffic to Google or OpenDNS resolvers.

The goal was to dig (pun intended) into the wealth of reverse DNS data, and find how consistent it is: percentage of delegations with issues (lame), latency in domain object creation, coverage of address space with reverse delegations. The data sources used included the whois database, RIPE NCC Delegated stats file and RIPE Stat. Although only 100 prefixes were used as a sample, the results were not encouraging: the quality of reverse DNS delegations is quite low, and the DNSSEC situation is “very sad”. There is a lot of room for improvement among LIRs!

The goal of this project was to provide insight into caching a resolver's availability and capabilities. By querying a custom-created server, and using multiple measurements from all RIPE Atlas probes, and finally analysing received results, the final output was possible to query on the live dashboard , that you can query per probe, per resolver, or show all on the map.

Additional results of the work of this team are: the existence of new RIPE Atlas measurements, that will be useful to other researchers and DNS operators in the future; and several new feature requests for improving RIPE Atlas. Personally, I liked their team name.

Good news that we received after the hackathon was that the work goes on, and the "Go bindings" code was contributed, as a continuation of this project.

This team's objective was to implement existing anomaly detection algorithms to RIPE Atlas DNS measurements. They used DNS measurements with chaos.id support and traceroute measurements, and analysed path changes and reachability/latency. The results were presented in a live demo. Possible next steps are to: automate it to continuously probe it; detect and create notifications.

This small team’s goal was to use an existing monitoring tool (Telegraf) and “feed it” the RIPE Atlas “status updates” results. “Telegraf” is a plugin-driven server agent for collecting and reporting metrics. After writing the code in Go, the team has achieved their goal, imported data, and visualised results.

And the Stroopwafels go to…

The focus of this hackathon was on cooperation, not competition, so we did not want to have a winner-as-such. However, some projects were better in certain aspects than others, and we had a limited amount of stroopwafels to give away. After a short discussion, the jury decided to distribute stroopwafels in this way:

The work by “Team Anomalyzer” has been awarded the LARGEST BOX of stroopwafels, for the combination of their scientific approach, their use of existing measurements, and good teamwork

Two teams that worked very closely together, on the same topic of DNS censorship, but with two different approaches, received six packages of traditionally-tinned stroopwafels to share for collaboration

For the most-completed project, Alex received the “hipster” package of stroopwafels

Big thanks to the excellent jury, that had a hard work twice: first to select participant from many applicants, and then again to make judgement-call between so many good final works: Jim Reid, Desiree Milosevic and Jaap Akkerhuis.

Collection of stroopwafels as prizes for various categories of best projects

Other awards included:

T-shirts

RIPE Atlas credits

The opportunity to present the project at the RIPE 74 meeting

…and the most important reward will be the continuous support that the RIPE NCC wants to extend to the projects that are being maintained in the future. We can help by providing resources, administrative support, and opportunities to support follow-up work, if needed.

Other Activities

Before the hackathon, a smaller group visited a local hackerspace, in order to connect with the local community, as the tradition requires. Then after the event, an even smaller group visited the hot-tubs on the top of the hotel, to relax and get ready for the closing party.

Venue

The venue of the hackathon was VolksHotel, the history of which is symbolic of the history of the gentrification of Amsterdam: the building started like a publishing house for the Volkskrant newspaper, which it remained for 42 years; then, for 6 years it was a "creativity incubator" (a so-called "broedplaats"), which was a replacement for the Dutch practice of squatting the derelict buildings and the artists, students and designers taking over; and finally, 3 years ago it turned into a hipster hotel, just like almost every "free" building in Amsterdam.

New Potential Partner

While promoting our symbolic prize, we got in touch with the company Stroopwafel World, who might want to be a partner in our future events. Looking forward to the possible cooperation!

The RIPE NCC uses cookies. Some of these cookies may have been set already. More information about our cookies can be found in our privacy policy. You can accept our cookies either by clicking here or by continuing to use the site.